Communication systems that send over-the-air traffic (OTA) typically require some form of encryption to ensure the privacy and security of the transmitted data. Additionally, many systems require secure authentication in order to prevent miscellaneous data or altered versions of transmitted data to be processed by a receiver.
An authenticated encryption scheme is a mechanism by which a message is transformed into ciphertext and an authentication code with the goal that the ciphertext protect both the privacy and the authenticity of the message. The last several years have seen the emergence of authenticated encryption as a recognized cryptographic goal, and numerous methods have been developed for a variety of communication systems.
One form of authenticated encryption employs a two-pass scheme, wherein two passes are made through the plaintext data; the first aimed at providing authenticity and the other, privacy. FIGS. 1-3 show block diagrams of representative prior art for authenticated encryption, each of which employ a block cipher to encrypt the data and generate a message authentication code (MAC), and then transmit the MAC and ciphertext, to provide authenticity and privacy, respectively. In general, a block cipher generates ciphertext given plaintext, an initialization vector (IV) and a key, wherein the key is a secure component and the ciphertext is transmitted over-the-air. The two-pass schemes considered herein use the same key for both the encryption and MAC generation functionality.
FIG. 1 depicts a block diagram of the “MAC-then-Encrypt” approach, wherein a hash of the plaintext is used to generate the MAC, and subsequently, a function of the plaintext and the MAC is encrypted using a block cipher to generate the ciphertext. In addition to the plaintext/MAC input, the block cipher relies on an initialization vector (IV) and a key. The MAC and ciphertext are transmitted over-the-air.
A variation of this scheme is shown in FIG. 2, which depicts a block diagram of the “Encrypt-and-MAC” approach, wherein the plaintext is first encrypted using the block cipher to generate the ciphertext, and then independently processed using the hash function to generate the MAC. The ciphertext and MAC are transmitted over-the-air.
FIG. 3 depicts the EAX mode of operation for another variant typically referred to as authenticated encryption with associated data. This variant ensures the privacy of the plaintext message as well as the authenticity of the plaintext and an additional header string. As seen in FIG. 3, the ciphertext to be transmitted over-the-air is generated using a single-pass through a block cipher, but the MAC is generated as a function of encrypted representations of the IV, the OTA ciphertext and the header string, each of which are processed using a block cipher that is of a different type than that used to encrypt the plaintext.
Each of the prior art approaches use block ciphers, and in particular, may employ counter-based block ciphers, which are an especially important class of block ciphers due to their efficiency. These counter-based cipher systems utilize time or simple incrementing counter (or a function of that counter), that is known at both the transmitter and receiver, to generate the IV. Once this system is synchronized, the IV need not be transmitted over-the-air, thereby reducing overhead. The overhead may dominate in communication systems with short message payloads, and its reduction is paramount in systems with constrained throughputs.
However, it is essential that the counter in the counter-based systems never repeats, since using a common IV (generated from a common counter value) on different plaintext data may result in a security breach for many block cipher modes. As seen in FIGS. 1-3, none of the prior art approaches can ensure that a counter-based IV will not repeat, since avoiding reuse of the same counter value can be challenging.
In practice, the counter value may repeat in a number of scenarios, which results in an identical IV being used to encrypt more than one block of plaintext. Simple counters can be reset by reboot or re-initialization operations. Time-based counters may repeat if continuous service is not available. In an example, a communication system utilizing the GPS system for a distributed time reference may start up under conditions with an approximate time if GPS is unavailable, and later, when GPS becomes available, it may determined that the time base need to be adjusted back. In this situation, the time-based IV would repeat, thereby comprising the security of the over-the-air transmissions.
Counter-based block ciphers are increasing in use due to their efficient implementations and minimization of over-the-air transmissions. Thus, there is a need for generating initialization vectors that do not repeat in counter-based cipher systems.